VMware Identity Manager is provisioned as a hardened Linux virtual appliance (running SUSE Linux Enterprise 11), that consists of several internal components including the connector and web services. In previous versions of Identity Manager (formerly known as Workspace Portal), the connector and web services were provisioned as separate virtual appliances. Identify Manager no longer has this requirement, therefore service providers can truly benefit from horizontal scaling.

The connector is the default identity provider service responsible for the synchronization of user data between Active Directory and the Identity Manager service. Third-party identity providers such as Google for Work and Microsoft Azure, can be used since they support the SAML 2.0 (Security Assertion Markup Language) protocol. This is otherwise known as SAML JIT (Just-in-Time) user provisioning.

When SAML JIT user provisioning is used with a third-party provider, it will create users in the Identity Manager service dynamically at logon.

In order to provide high availability of Identity Manager, it is recommended that a minimum of three virtual appliances are deployed with two or more Access Point virtual appliances. See the VMware documentation “Recommended Number of Nodes in VMware Identity Manager Cluster” in Section 10, References for more information.

In previous versions of Access Point (2.7 or below), in order to provide gateway services to both Horizon 7 and Identity Manager, two pairs of Access Point virtual appliances were required running version 2.5 (for Horizon support) and 2.7 (for Identity Manager support). This is no longer the case since Access Point 2.7.2, and a single pair of Access Point appliances can support both Horizon and Identity Manager.

As illustrated in the following diagram, a load-balancer is used (DMZ) for external connections, and an internal load-balancer sits in front of VMware Identity Manager appliances and View Connection Servers.